Read build secret files before sending to remote builder

For parity with local builds, read file contents from build_secrets
paths in stack.yaml before sealing and sending to the remote builder.
Literal secret values are no longer supported.

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Author: welteki

builder/remote_builder.go

@@ -45,7 +45,11 @@ func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPubl
 
 	var stream *sdkbuilder.BuildResultStream
 	if len(buildSecrets) > 0 {
-		stream, err = b.BuildWithSecretsStream(tarPath, buildSecrets)
+		resolvedSecrets, err := readBuildSecrets(buildSecrets)
+		if err != nil {
+			return err
+		}
+		stream, err = b.BuildWithSecretsStream(tarPath, resolvedSecrets)
 	} else {
 		stream, err = b.BuildWithStream(tarPath)
 	}
@@ -57,6 +61,21 @@ func runRemoteBuild(builderURL *url.URL, tarPath, payloadSecretPath, builderPubl
 	return consumeBuildStream(stream, quietBuild, functionName, imageName)
 }
 
+// readBuildSecrets resolves build secret values by reading file contents.
+// Each value in the buildSecrets map is treated as a file path. The file
+// is read and its contents replace the path in the returned map.
+func readBuildSecrets(buildSecrets map[string]string) (map[string]string, error) {
+	resolved := make(map[string]string, len(buildSecrets))
+	for k, v := range buildSecrets {
+		data, err := os.ReadFile(v)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read build secret %q from %s: %w", k, v, err)
+		}
+		resolved[k] = string(data)
+	}
+	return resolved, nil
+}
+
 func resolveRemoteBuilderPublicKey(builderURL *url.URL, builderPublicKeyPath string) (*remoteBuilderPublicKeyResponse, error) {
 	if builderPublicKeyPath == "" {
 		return fetchRemoteBuilderPublicKey(builderURL)

builder/remote_builder_test.go

@@ -109,7 +109,7 @@ func TestRunRemoteBuildWithSecrets(t *testing.T) {
 	}
 
 	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, "", map[string]string{
-		"pip_token": "s3cr3t",
+		"pip_token": writeTempSecret(t, "s3cr3t"),
 	}, true, "fn", "ttl.sh/test:latest"); err != nil {
 		t.Fatalf("runRemoteBuild returned error: %v", err)
 	}
@@ -160,7 +160,7 @@ func TestRunRemoteBuildWithPinnedPublicKey(t *testing.T) {
 	}
 
 	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, publicKeyPath, map[string]string{
-		"pip_token": "s3cr3t",
+		"pip_token": writeTempSecret(t, "s3cr3t"),
 	}, true, "fn", "ttl.sh/test:latest"); err != nil {
 		t.Fatalf("runRemoteBuild returned error: %v", err)
 	}
@@ -198,7 +198,7 @@ func TestRunRemoteBuildWithLiteralPublicKey(t *testing.T) {
 	}
 
 	if err := runRemoteBuild(builderURL, tarPath, payloadSecretPath, string(pub), map[string]string{
-		"pip_token": "s3cr3t",
+		"pip_token": writeTempSecret(t, "s3cr3t"),
 	}, true, "fn", "ttl.sh/test:latest"); err != nil {
 		t.Fatalf("runRemoteBuild returned error: %v", err)
 	}
@@ -224,3 +224,54 @@ func createTestTar(t *testing.T) []byte {
 	}
 	return buf.Bytes()
 }
+
+func writeTempSecret(t *testing.T, content string) string {
+	t.Helper()
+	p := filepath.Join(t.TempDir(), "secret")
+	if err := os.WriteFile(p, []byte(content), 0o600); err != nil {
+		t.Fatalf("os.WriteFile returned error: %v", err)
+	}
+	return p
+}
+
+func TestReadBuildSecrets(t *testing.T) {
+	secretDir := t.TempDir()
+
+	npmrcPath := filepath.Join(secretDir, ".npmrc")
+	if err := os.WriteFile(npmrcPath, []byte("//registry.npmjs.org/:_authToken=TOKEN123"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	netrcPath := filepath.Join(secretDir, ".netrc")
+	if err := os.WriteFile(netrcPath, []byte("machine github.com login user password pat"), 0o600); err != nil {
+		t.Fatal(err)
+	}
+
+	secrets := map[string]string{
+		"npmrc": npmrcPath,
+		"netrc": netrcPath,
+	}
+
+	resolved, err := readBuildSecrets(secrets)
+	if err != nil {
+		t.Fatalf("readBuildSecrets returned error: %v", err)
+	}
+
+	if got := resolved["npmrc"]; got != "//registry.npmjs.org/:_authToken=TOKEN123" {
+		t.Errorf("want npmrc %q, got %q", "//registry.npmjs.org/:_authToken=TOKEN123", got)
+	}
+	if got := resolved["netrc"]; got != "machine github.com login user password pat" {
+		t.Errorf("want netrc %q, got %q", "machine github.com login user password pat", got)
+	}
+}
+
+func TestReadBuildSecrets_FileNotFound(t *testing.T) {
+	secrets := map[string]string{
+		"missing": "/nonexistent/path/secret.txt",
+	}
+
+	_, err := readBuildSecrets(secrets)
+	if err == nil {
+		t.Fatal("expected error for missing file, got nil")
+	}
+}